Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Full-Disclosure] Re: Full-disclosure digest, Vol 1 #1950 - 4 msgs
From: William Warren <hescominsoon () emmanuelcomputerconsulting com>
Date: Tue, 05 Oct 2004 15:13:27 -0400

go here to change your subscription:

chris_tang () so-net com hk wrote:

Hi, Please be advised that my email has been changed to: chriskftang () yahoo com Please send all "full-disclosure" newsletters or related messages to the above email address. Thanx Best Rgds, Chris Tang ======================================================================

On Tue, 05 Oct 2004 12:00 , full-disclosure-request () lists netsys com sent:

Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-admin () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."

Today's Topics:

 1. [TURBOLINUX SECURITY INFO] 05/Oct/2004 (Turbolinux)
 2. RE: Spyware installs with no interaction in IE on fully patched XP SP2 box (Castigliola, Angelo)
 3. SUSE Security Announcement: samba (SUSE-SA:2004:035) (Thomas Biege)
 4. Paranid ramblings - what's the deal? Bounded variables aren't? (Clairmont, Jan M)


Message: 1
Date: Tue, 5 Oct 2004 22:30:17 +0900
From: Turbolinux security-announce () turbolinux co jp>
Reply-To: server-users-e () turbolinux co jp
To: security-announce () turbolinux co jp
Subject: [Full-disclosure] [TURBOLINUX SECURITY INFO] 05/Oct/2004

Hash: SHA1

This is an announcement only email list for the x86 architecture.
Turbolinux Security Announcement 05/Oct/2004

The following page contains the security information of Turbolinux Inc.

- Turbolinux Security Center

(1) squid -> DoS vulnerability in squid
(2) ImageMagick -> Multiple buffer overflow vulnerabilities in ImageMagick

* squid -> DoS vulnerability in squid

More information :
  Squid is a high-performance proxy caching server for web clients, supporting
  FTP, gopher, and HTTP data objects. Unlike traditional caching software,
  Squid handles all requests in a single, non-blocking, I/O-driven process.

  A vulnerability in the NTLM helpers in squid.

Impact :
  The vulnerabilities allow remote attackers to cause a denial of service of sauid server services.

Affected Products :
  - Turbolinux Appliance Server 1.0 Hosting Edition
  - Turbolinux Appliance Server 1.0 Workgroup Edition
  - Turbolinux 8 Server
  - Turbolinux 8 Workstation
  - Turbolinux 7 Server
  - Turbolinux 7 Workstation

Solution :
Please use the turbopkg (zabom) tool to apply the update. ---------------------------------------------
[Turbolinux 10 Desktop, Turbolinux 10 F...]
# zabom -u squid

# turbopkg
# zabom update squid

 Source Packages
 Size : MD5

    1538211 ff3e34c4b8c71d250f2781179ceec73a

 Binary Packages
 Size : MD5

     825195 85c3b583674e0ac0695c4cbf0404e586

 Source Packages
 Size : MD5

    1538211 6b6d400ee15ee97ac6f7e98fbea26e50

 Binary Packages
 Size : MD5

     825663 bed921f91e657975cc6c72d2ea8f29d4

 Source Packages
 Size : MD5

    1538211 b28eeeb88347c668fdb9938c4c1cd438

 Binary Packages
 Size : MD5

     825370 335f0fe78cfb204c86ff5b05d12bfd34

 Source Packages
 Size : MD5

    1538211 181d72c2668f72b6e50190f784421bed

 Binary Packages
 Size : MD5

     825810 5e52e49f4be6e555f57b38ffb241c455

 Source Packages
 Size : MD5

    1538211 45fd66fc13713b40beb996f664460f0e

 Binary Packages
 Size : MD5

     829880 e2a6cf6b67a7c74249b23bce5a4adedf

 Source Packages
 Size : MD5

    1538211 191eab57b2adcecf91ceb4b34c94de09

 Binary Packages
 Size : MD5

     830034 d6142042afcd410376e5a875c5436bc9

Notice :
  After performing the update, it is necessary to restart the squid daemon.
  To do this, run the following command as user root.
# /etc/init.d/squid restart
# /etc/rc.d/init.d/squid restart



* ImageMagick -> Multiple buffer overflow vulnerabilities in ImageMagick

More information :
  ImageMagick(TM) is an image display and manipulation tool for the X
  Window System.  ImageMagick can read and write JPEG, TIFF, PNM, GIF and
  Photo CD image file formats.

  Multiple buffer overflow vulnerabilities in ImageMagick allowing remote
  attackers to execute arbitrary code via a malformed image or video file.

Impact :
  These vulnerabilities may allow remote attackers to execute arbitrary
  code via a malformed image or video file in AVI or BMP formats.

Affected Products :
  - Turbolinux 10 F...
  - Turbolinux 10 Desktop
  - Turbolinux 8 Server
  - Turbolinux 8 Workstation
  - Turbolinux 7 Server
  - Turbolinux 7 Workstation

Solution :
Please use the turbopkg (zabom) tool to apply the update. ---------------------------------------------
[Turbolinux 10 Desktop, Turbolinux 10 F...]
# zabom -u ImageMagick ImageMagick-devel

# turbopkg
# zabom update ImageMagick ImageMagick-devel

 Source Packages
 Size : MD5

    5274681 6a9d3c1b208049830e7086b9aae75fe7

 Binary Packages
 Size : MD5

    2397224 dea16cf3ee2ce38381e3d2679ad8fa3c
     555804 840cc5d2ec79afd5cfdbf4223f625195

 Source Packages
 Size : MD5

    3614849 bb43185f084dd6e32f10694f35fb513d

 Binary Packages
 Size : MD5

    3207676 6839799de74d7439334a875a097b6049
    1392173 d0af80e68a129fd41d301b7ec3469ff5
     855821 be80bb2b23c8b87ab831bb99201b85c8
      60163 1281a234915115227a2bb2fa5071d6c7

 Source Packages
 Size : MD5

    3665019 ae1a64cf87ea0e6598ca147abd3349e4

 Binary Packages
 Size : MD5

    3668565 d065de9b0d5a58b6393cc4805e0eb405


     971835 df0dda9a20ad43b2a8b3ee7a5313f6a8

 Source Packages
 Size : MD5

    3656626 6197f1b2ff6d1a831d532a3fce210f94

 Binary Packages
 Size : MD5

    3038600 0276001bdf52d75ab65dcac7ff4ebb49
    1267440 9e21404db4bf10a005a89f974fd8558e

 Source Packages
 Size : MD5

    3656626 084f8247af6313928f5dcdae20ed9713

 Binary Packages
 Size : MD5

    3039080 e3ca8b73f9a5f6cbaf8a136d121fdebf


    1267050 a3e0ef2ac5bd589f453f5ab529981fab



* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.


Package Update Path

* To obtain the public key

Here is the public key


* To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
you can send a message to server-users-e-ctl () turbolinux co jp> with
the word `unsubscribe' in the body (don't include the quotes).


* To change your email address

If you ever want to chage email address in this mailing list,
you can send a message to server-users-e-ctl () turbolinux co jp> with
the following command in the message body:

chaddr 'old address' 'new address'

If you have any questions or problems, please contact
supp_info () turbolinux co jp>

Thank you!

Version: GnuPG v1.2.6 (GNU/Linux)



Message: 2
Subject: RE: [Full-disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
Date: Tue, 5 Oct 2004 10:50:02 -0400
From: "Castigliola, Angelo" ACastigliola () unumprovident com>
To: "Alla Bezroutchko" alla () scanit be>, full-disclosure () lists netsys com>

I am sure there is a configuration setting or software (perhaps the
software made the configuration change) that is preventing this from
installing on your computer.
I tested with a default XP SP1 install with all the Microsoft Updates
that have been applied to stop this type of IE hack. The spyware still
installs itself on the machine.

XP SP1 with the following patches:

These are _ALL_ the Microsoft Updates that specifically patch up IE
My question to the forum is: If this is not a 0-day IE exploit that
allows software to install on a computer with no user interaction then
what Microsoft Update applies to this exploit?

Again I fear there is no Microsoft Update available that will fix this

Can someone confirm that a Default install of XP SP2 with all patches
will not stop spyware from themexp.org from installing?

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[full-disclosure-admin () lists netsys com','','','')">full-disclosure-admin () lists netsys com] On Behalf Of Alla
Sent: Tuesday, October 05, 2004 7:01 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box

Carr, Robert wrote:


I just went there, and he's right. Atpartners.cab installed without permission. My McAfee picked it right up as Atpartners.dll, downloaded

to Temp Internet files. Spyware detected as NetPals. On the other hand, I'm admin of my machine, I wonder if a "user" would get an error

message about not having the correct rights...

I have tested it on Windows XP SP2 and on fully patched Windows 2000. In

both cases _nothing_ gets run or installed. Both systems are more or less standard installations without any special IE hardening (except patches).

When I surf to the site with Windows XP "Installing components... ATpartners.cab" briefly appears in the status bar and then the site gets

displayed. Under the normal browser bars there is a message saying "The site might require the following ActiveX control: FREE on-line games and

special offers from... Click here to install...". I don't click on it. Searching the disk for atpartnets.cab or atpartners.dll finds nothing. The CLSID of the ActiveX control only appears in the registry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\"

With Windows 2000 I also get "Installing components... ATpartners.cab" in the status bar and then the dialog box asking if I want to install "Free online games from ATgames.com". This is a usual dialog box you get

when a page attempts to install an ActiveX control. If I click "No", nothing gets installed, no atpartners files on the file system, no traces of the CLSID in the registry.

I suppose the cab file gets downloaded so that Windows can read and display the signature of the file. It does not get run or installed unless explicitly permitted by user.

So, as far as I can see this is no 0-day.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Message: 3
Date: Tue, 05 Oct 2004 16:57:52 +0200
From: Thomas Biege thomas () suse de>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] SUSE Security Announcement: samba (SUSE-SA:2004:035)



                      SUSE Security Announcement

      Package:                samba
      Announcement-ID:        SUSE-SA:2004:035
      Date:                   Tuesday, Oct  5th 2004 16:53:01 MEST
      Affected products:      8.1, 8.2, 9.0
                              SUSE Linux Enterprise Server 8
                              SUSE Linux Desktop 1.0
      Vulnerability Type:     remote file disclosure
      Severity (1-10):        6
      SUSE default package:   Yes
      Cross References:       CAN-2004-0815

  Content of this advisory:
      1) security vulnerability resolved:
           - Samba file access problem
         problem description
      2) solution/workaround
      3) special instructions and notes
      4) package location and checksums
      5) pending vulnerabilities, solutions, workarounds:
          - opera
          - kernel
          - mozilla
      6) standard appendix (further information)


1) problem description, brief discussion

  The Samba server, which allows to share files and resources via
  the SMB/CIFS protocol, contains a bug in the sanitation code of path
  names which allows remote attackers to access files outside of the
  defined share. In order to access these files, they must be readable
  by the account used for the SMB session.
  CAN-2004-0815 has been assigned to this issue.

2) solution/workaround

  As a temporary workaround you can set the
   wide links = no
  option in smb.conf and restart the samba server. However an update
  is recommended nevertheless.

3) special instructions and notes

  After successfully updating the samba package, you need to issue the
  following command as root:

    rcsmb restart

4) package location and checksums

  Please download the update package for your distribution and verify its
  integrity by the methods listed in section 3) of this announcement.
  Then, install the package using the command "rpm -Fhv file.rpm" to apply
  the update.
  Our maintenance customers are being notified individually. The packages
  are being offered to install from the maintenance web.

  SUSE Linux 9.0:
  patch rpm(s):
  source rpm(s):

  SUSE Linux 8.2:
  patch rpm(s):
  source rpm(s):

  SUSE Linux 8.1:
  patch rpm(s):
  source rpm(s):

  x86-64 Platform:
  SUSE Linux 9.0:
  patch rpm(s):
  source rpm(s):


5)  Pending vulnerabilities in SUSE Distributions and Workarounds:

   - opera
   New opera packages are available on our ftp servers, fixing
   CAN-2004-0691, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 and

   - kernel
   Update kernels for the kNFSd problem for SLES 8 and SL 8.1 have been

   - mozilla
   We are in the process of releasing updates for mozilla (and related
   browsers), fixing various issues: CAN-2004-0597, CAN-2004-0718,
   CAN-2004-0722, CAN-2004-0757, CAN-2004-0758, CAN-2004-0759,
   CAN-2004-0760, CAN-2004-0761, CAN-2004-0762, CAN-2004-0763,
   CAN-2004-0764 and CAN-2004-0765.
   We will give you concrete details in a separate mozilla advisory when
   the updates are available.


6)  standard appendix: authenticity verification, additional information

- Package authenticity verification:

  SUSE update packages are available on many mirror ftp servers all over
  the world. While this service is being considered valuable and important
  to the free and open source software community, many users wish to be
  sure about the origin of the package and its content before installing
  the package. There are two verification methods that can be used
  independently from each other to prove the authenticity of a downloaded
  file or rpm package:
  1) md5sums as provided in the (cryptographically signed) announcement.
  2) using the internal gpg signatures of the rpm package.

  1) execute the command
md5sum after you downloaded the file from a SUSE ftp server or its mirrors.
     Then, compare the resulting md5sum with the one that is listed in the
     announcement. Since the announcement containing the checksums is
     cryptographically signed (usually using the key security () suse de),
     the checksums show proof of the authenticity of the package.
     We disrecommend to subscribe to security lists which cause the
     email message containing the announcement to be modified so that
     the signature does not match after transport through the mailing
     list software.
     Downsides: You must be able to verify the authenticity of the
     announcement in the first place. If RPM packages are being rebuilt
     and a new version of a package is published on the ftp server, all
     md5 sums for the files are useless.

  2) rpm package signatures provide an easy way to verify the authenticity
     of an rpm package. Use the command
rpm -v --checksig to verify the signature of the package, where is the
     filename of the rpm package that you have downloaded. Of course,
     package authenticity verification can only target an un-installed rpm
     package file.
      a) gpg is installed
      b) The package is signed using a certain key. The public part of this
         key must be installed by the gpg program in the directory
         ~/.gnupg/ under the user's home directory who performs the
         signature verification (usually root). You can import the key
         that is used by SUSE in rpm packages for SUSE Linux by saving
         this announcement to a file ("announcement.txt") and
         running the command (do "su -" to be root):
gpg --batch; gpg SUSE Linux distributions version 7.1 and thereafter install the
         key "build () suse de" upon installation or upgrade, provided that
         the package gpg is installed. The file containing the public key
         is placed at the top-level directory of the first CD (pubring.gpg)
         and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SUSE runs two security mailing lists to which any interested party may

  suse-security () suse com
      -   general/linux/SUSE security discussion.
          All SUSE security announcements are sent to this list.
          To subscribe, send an email to
              suse-security-subscribe () suse com>.

  suse-security-announce () suse com
      -   SUSE's announce-only mailing list.
          Only SUSE's security announcements are sent to this list.
          To subscribe, send an email to
              suse-security-announce-subscribe () suse com>.

For general information or the frequently asked questions (faq) send mail to:
      suse-security-info () suse com> or
      suse-security-faq () suse com> respectively.

  SUSE's security contact is security () suse com> or security () suse de>.
  The security () suse de> public key is listed below.

  The information in this advisory may be distributed or reproduced,
  provided that the advisory is not modified in any way. In particular,
  it is desired that the clear-text signature shows proof of the
  authenticity of the text.
  SUSE Linux AG makes no warranties of any kind whatsoever with respect
  to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team security () suse de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key build () suse de>

Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)



Message: 4
Date: Tue, 5 Oct 2004 11:48:59 -0400
From: "Clairmont, Jan M" jan.m.clairmont () citigroup com>
To: full-disclosure () lists netsys com>
Subject: [Full-disclosure] Paranid ramblings - what's the deal? Bounded variables aren't?

Every time I send out a memo to full-disclosure i get this this mail bounce message and
it gets posted on full-disclosure.  Anybody have an idea what's happening.

Message Follows:

From: Mailer-Daemon () ic-s nl

Subject: NDN: [Full-disclosure] Shows when no limits are set or restricted shell or bat ac

Sorry. Your message could not be delivered to:

tycho,IC&S (The name was not found at the remote site. Check that the name
has been entered correctly.)

Are these guys phishing, swishing or whatever Netherlands uber alles?
Or is this just their mail-server barfing?  Should probably point dig at it
and debug it but I have gotten in trouble for that type of "help" before?

Keep on computing, even though your bytes are fried.

Jan Clairmont, Paladin of the Dept. of Insecurity Department, where no redundancy is allowed or is it redundancy is

required, have to look that up in the book of insecurity security chapter 4 verse 3(The bible of the Mad Arab Adulah Medula, taken from

the NecronoMicron or the latest M$ directorate).

Unix Security Support/Consultant I think?


Full-Disclosure mailing list
Full-Disclosure () lists netsys com

End of Full-Disclosure Digest

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

My "Foundation" verse:
Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]